0

we have found an issue with some production systems that the Anti-Virus causes the program to become slow a lot of the times and generally interferes with the activity of our software. Now as far as I know, this is exactly what the anti-virus is suppose to do in order to protect the machine from files coming in from the network. Most of the times the issue is solved by placing the process and folders of our application in the trusted list. While this is a temporary solution, in the long run it posses a security threat.

I wonder is there a known way to integrate with AV's and telling it when to scan a file? when to trust it? some kind of API both in C++ and in Java. I have seen this issue with McAfee and Symantec.

Any known strategies on how to integrate software with AV?

How does FTP servers and similar software handles such issues?

Support for McAfee and Symantec would cover most of my needs. I can't control which AV the customer places on his machine.

Edit: Just to be clear I don't want to add the process/folders to the trusted list via API. I want to perform scanning through API.

qballer
  • 103
  • 4

2 Answers2

2

If you want security you scan the file on every access. If you want to take the trade off of less security vs greater performance, then turn off active scanning and just use your scan scheduler.

Your talk of trusting the file doesn't make a lot of sense in the context of file storage and access, however you could just scan on your web gateway inbound before the file lands on your server. This doesn't take into account infection from your server itself, so you'll still want to regularly scan your server.

Your point regarding FTP servers is a bit irrelevant here. It is a server. If you want av on the server, you implement it, and depending on the risk profile you either scan on every access or schedule scans.

If you want greater performance while keeping security, use faster disks, raid or other disk speed improvements.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • The file is short lived in the system so I would like to scan it once, than I read it and delete it. In order to improve performance I would like to place the folder in the trust list and ask the AV to scan it via API. Is this possible? – qballer Mar 02 '14 at 10:48
  • 1
    This doesn't make sense. If you are accepting the file, reading once, then deleting, either scan on receipt or on read. Either are easy and standard. Why are you wanting an api function? – Rory Alsop Mar 02 '14 at 10:56
  • 1
    Oh, and why would you place it in a trust list before you have scanned it? That breaks the model entirely. – Rory Alsop Mar 02 '14 at 10:57
  • I would like to scan it at the moment that the file is fully created and not while it's being received over the network. meaning get the file fully scan it and than read it and perform actions. This makes no sense to you ? – qballer Mar 02 '14 at 13:18
  • But that is what happens in almost all implementations. So I'm puzzled why you would be scanning fragments. – Rory Alsop Mar 02 '14 at 13:20
  • hmmm... the facts are that the AV caused issues with the system which were solved as soon as we excluded the folders/process. It could very well be that my assumptions on why this is happening are very wrong. Any advice on how to proceed? where to read up on how AV works? – qballer Mar 02 '14 at 13:25
  • let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/13336/discussion-between-qballer-and-rory-alsop) – qballer Mar 02 '14 at 13:26
0

If there was such an API for an Antivirus,virus designers could easily access it and make their malicious code appear as safe :) If there is a case of false positive you can contact the antivirus vendors and resolve the issue.

There is also something called PUA(Potencially Unwanted Programme) List.You may also want to check if your application falls into it.

AV Works by running a service that integrates into System I/O and Network Activities.There are certain patterns that are checked by AV like infinite loops,and network and file creation activities that may fall into the category of malicious activities Take care your program is free from those and also take care about the packers/protectors you use,if you use any

techno
  • 475
  • 1
  • 4
  • 13
  • Just to be clear I don't want to add the process/folders to the trusted list via API. I want to perform **scanning** through API. – qballer Mar 02 '14 at 17:57